When you have finished your investigation and remediation of an incident, you can close it. Closing an incident makes it easy for other Incident Responders to see that an incident no longer requires attention. And it makes it easier for you to filter out incidents that are no longer a risk.
Tip: A notification is sent when an incident is created. No new emails are sent for the same incident if or when Symantec EDR adds additional events to that incident. And additional events are only added if they occur within 7 days of the incident being created. If you investigate an incident over several days, more events may occur. Symantec recommends that at the end of a day you close the incident if all of the events that are related to that incident were investigated. That way, the next day you can see if there are new events to address. Note that closing an incident does not delete it. It still appears at the bottom of the Incident list, or you can filter the Incident list to only show closed incidents.
To close an incident
Do any of the following:
In EDR cloud console, do any of the following:
On the Tasks page for the incident that you want to close, scroll to the far right on the row. Click the three vertical dots to reveal additional options. Click Close. Click the Resolution drop-down list and select the most appropriate resolution. Type your comment and click Close.
In EDR appliance console, on the Incident details page on the action bar, click Comment. Click the Resolution drop-down list and select the most appropriate resolution. Type your comment and click Close.